Suspicious Recipients pattern with NLU credential theft indicators

calendar Aug 25, 2023  ·
Share on: linkedin copy

Detects messages with undisclosed recipients (likely all bcc) and NLU identified a credential theft intent with medium to high confidence from a suspicious low reputation link domain

Sublime rule (View on GitHub)

 1name: "Suspicious Recipients pattern with NLU credential theft indicators"
 2description: "Detects messages with undisclosed recipients (likely all bcc) and NLU identified a credential theft intent with medium to high confidence from a suspicious low reputation link domain"
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (length(recipients.to) == 0 or all(recipients.to, .display_name == "Undisclosed recipients"))
 8  and length(recipients.cc) == 0
 9  and length(recipients.bcc) == 0
10  and any(body.links, .href_url.domain.root_domain not in $tranco_1m)
11  and (
12    any(body.links,
13        regex.icontains(.display_text,
14                        '(view|click|download|goto)?(attachment|download|file|online|document)s?'
15        )
16        or all(body.links, regex.contains(.display_text, "^[A-Z ]+$"))
17    )
18  )
19  and any(ml.nlu_classifier(body.current_thread.text).intents,
20          .name in ("cred_theft") and .confidence in ("medium", "high")
21  )  
22attack_types:
23  - "Credential Phishing"
24tactics_and_techniques:
25  - "Evasion"
26detection_methods:
27  - "Content analysis"
28  - "Header analysis"
29  - "Natural Language Understanding"
30  - "URL analysis"
31id: "8e121c3e-b9cf-5aa3-b799-e025a69b7d8c"
to-top